The HOL System

The HOL System is an environment for interactive theorem proving in a
higher-order logic. Its most outstanding feature is its high degree of
programmability through the meta-language ML. The system has a wide
variety of uses from formalizing pure mathematics to verification of
industrial hardware. Academic and industrial sites world-wide are using HOL.
The name `HOL' is pronounced either as a word to rhyme with `doll' or letter
by letter. The system is available without charge.

The HOL System is currently available in three
versions, HOL98, HOL90, and HOL88. They all implement the same logic,
but offer different functionality.

HOL98 uses
Standard ML
(specifically MoscowML) as both
its implementation language and its meta-language. It features some
important extensions over previous HOL systems. It also runs very well on
small machines. A preliminary user's manual is also available.

HOL90 uses
Standard ML
(specifically Standard ML of New Jersey) as both its implementation language
and its meta-language. It runs well on large machines.

The HOL System comes with a
Tutorial, a
Description, and a
Reference
Manual, plus manuals for each supported library. These are currently oriented
to HOL88 but the Reference Manual is in the
process of being converted to HOL90. There is
also a book based on
the Tutorial and Description (for HOL88):

The HOL System is designed to support interactive
theorem proving in higher order logic (hence the acronym `HOL'). To this end,
the formal logic is interfaced to a general purpose programming language (ML,
for meta-language) in which terms and theorems of the logic can be denoted,
proof strategies expressed and applied, and logical theories developed.

The version of higher order logic used in HOL is predicate calculus with terms
from the typed lambda calculus (i.e. simple type theory). This was originally
developed as a foundation for mathematics [1]. The
primary application area of HOL was initially intended to be the specification
and verification of hardware designs. (The use of higher order logic for this
purpose was first advocated by
Keith
Hanna [3].) However, the logic does not restrict
applications to hardware; HOL has been applied to many other areas.

The approach to mechanizing formal proof used in HOL is due to Robin Milner
[2], who also headed the team that designed and
implemented the language ML. That work centred on a system called LCF (logic
for computable functions), which was intended for interactive automated
reasoning about higher order recursively defined functions. The interface of
the logic to the meta-language was made explicit, using the type structure of
ML, with the intention that other logics eventually be tried in place of the
original logic. The HOL system is a direct descendant of LCF; this is
reflected in everything from its structure and outlook to its incorporation of
ML, and even to parts of its implementation. Thus HOL satisfies the early plan
to apply the LCF methodology to other logics.

The original LCF was implemented at Edinburgh in the early 1970's, and is now
referred to as `Edinburgh LCF'. Its code was ported from Stanford Lisp to
Franz Lisp by Gérard Huet at
INRIA, and was used in a
French research project called
`Formel'. Huet's Franz
Lisp version of LCF was further developed at Cambridge by
Larry Paulson, and became
known as `Cambridge LCF'. The HOL system is implemented on top of an early
version of Cambridge LCF and consequently many features of both Edinburgh and
Cambridge LCF were inherited by HOL. For example, the axiomatization of higher
order logic used is not the classical one due to Church, but an equivalent
formulation influenced by LCF.

The language ML has now achieved status as a programming language in its own
right, although it was originally designed as the proof management language
for LCF. It is a functional language distinguished particularly for its type
inference mechanism, that gives type security without overburdening the user.
Types, and especially abstract types, are the basis for distinguishing the
theorems of a logic from arbitrary formulae, in a secure way. A standard has
now been established for ML [4]. The most recent
version of Cambridge LCF, which is documented in Paulson's book
[5], is based on this
Standard ML.

The original HOL system included an earlier version of ML, as did the enhanced
and rationalized version, called HOL88, which
was released (in 1988) after the original HOL system had been in use for
several years. In the early 1990's HOL90, an
implementation of HOL based on Standard ML rather than Lisp, was developed by
Konrad Slind, initially at the
University of Calgary. A commercial version of HOL using Standard ML was also
developed by ICL Secure Systems. This system, now called ProofPower, is a
`highly assured' system for commercial verification projects in the safety and
security critical areas.

A proposal has
been put forward to develop a new version of HOL around the year 2000 that
will incorporate some of the results of research into the HOL system and its
applications, and other theorem proving technology. There is an
electronic mailing list for discussion of this
subject.

ACL2 is a theorem proving system produced at Computational Logic, Inc.
The acronym ``ACL2'' stands for ``A Computational Logic for Applicative Common
Lisp.'' ACL2 is similar to the Boyer-Moore theorem prover,
Nqthm, and
Kaufmann's interactive extension, Pc-Nqthm. However, instead of supporting
the ``Boyer-Moore logic,'' ACL2 supports a large applicative subset of Common
Lisp. Furthermore, ACL2 is programmed almost entirely within that language.

The Coq proof assistant allows mechanical manipulation of assertions of
the "Calculus of Inductive Constructions", interactive development of formal
proofs, and synthesis of certified programs from the constructive proofs of
their specifications.

Isabelle is a generic theorem prover written in
Standard ML. It is
generic in the sense that users can define their own logic using a metalogic.
Isabelle has a number of things in common with HOL: a programming
meta-language, tactics and tacticals, and a fully-expanded proof is generated
(over time). There are also significant differences, e.g., rules are not
implemented as ML functions but are represented as explicit structures, and
higher-order resolution is used for proof construction.

LAMBDA is a commercial system similar to Isabelle but specialised to a
classical higher-order logic with polymorphism like the one mechanised in the
HOL system. Early versions implemented a constructive logic of partial terms.
The system comes with a graphical interface for hardware design called DIALOG.

Nqthm is a theorem proving system for a computational logic. The
logic is (intentionally) similar to the core of the Lisp programming language.
It is untyped, quantifier free, and first order. Nqthm provides a high degree
of automation in terms of heuristics for simplification, induction, and
related activities. A proof in the system is generated by making definitions
and then calling the heuristics on the conjecture to be proved. The proof
attempt will typically fail, but examination of the prover's log (which is in
English) will reveal either a flaw in the conjecture or a lemma that the
prover needs to be aware of to succeed. The user then asks the system to prove
this lemma (possibly requiring other lemmas to be proved) and repeats the
attempt to prove the original conjecture. This process continues until the
prover succeeds on the conjecture.

Nuprl is another system descended from LCF. Its
logic is based on Martin-Löf's intuitionistic (constructive) type theory.
The infrastructure of Nuprl has much in common with HOL, but differs in that
proofs are represented explicitly as objects. However, these are not full
proofs in terms of primitive inferences; each node of the proof
tree corresponds to the application of a tactic which might be at a high
level. Nevertheless, this helps users to examine the proof, and facilitates
backtracking and alternative proof attempts.

OBJ

OBJ is based on order-sorted equational logic and is organised in
parameterised modules.

The Prototype Verification System from SRI International is an interactive
system for a higher order logic with dependent types. It has its own
specification language. Significant automation is achieved using decision
procedures for various theories including linear arithmetic.

Rewrite Rule Laboratory is a theorem prover for first-order logic with an
emphasis on equational reasoning.

SDVS

The State Delta Verification System is a verification system that
incorporates simplifiers, decision procedures and symbolic execution. It is
based on a temporal logic and has been mainly used for verification of
computer descriptions written in languages such as Ada and VHDL.

Veritas

Veritas is a logic developed by
Keith
Hanna to support formal design methods. It is motivated by
Martin-Löf's intuitionistic (constructive) type theory: it is higher
order and provides dependent types and subtypes, but it is a classical rather
than a constructive logic. The Veritas-90 version is implemented in both
Standard ML and
Haskell.
The intention behind the implementation in the purely-functional language
Haskell is to enable parallel evaluation. As in HOL, abstract data types are
used to securely implement the various syntactic categories of the logic, but
in addition to terms and theorems being implemented in this way, so is the
representation of theories, which are first-class objects in Veritas. In HOL,
theories are structures that are modified imperatively. In Veritas, a
purely-functional view is taken.